Tag phishing

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 28, 2018

Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
https://www.timehop.com/security/technical

Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
https://decorrespondent.nl/8481/heres-how-we-found-the-names-and-addresses-of-soldiers-and-secret-agents-using-a-simple-fitness-app

Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/

One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/

It looks like that the Carbanak banking malware source code was leaked.
https://malware-research.org/carbanak-source-code-leaked/

Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
https://thehackernews.com/2018/07/digital-certificate-malware.html

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 32, 2017

The lone Nigerian guy is responsible for an attack against at least 4000 gas, oil, banking, infrastructure organizations using phishing and NetWire trojan for remote access.
https://blog.checkpoint.com/2017/08/15/get-rich-die-trying-case-study-real-identity-behind-wave-cyberattacks-energy-mining-infrastructure-companies/

Alert Logic published report about the cloud security. Public cloud is generally more secure than private and on-premises networks. Attack vectors are the same as for most online applications - mostly SQL injection, remote code execution against the web applications.
https://www.alertlogic.com/assets/industry-reports/alertlogic-cloud-security-report-2017.pdf

Oxford University researchers published so called intra-library collusion (ILC) attack against the Android devices. From the research paper: "(intra-library collusion attack) occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data".
https://arxiv.org/pdf/1708.03520.pdf
https://nakedsecurity.sophos.com/2017/08/15/how-shared-android-libraries-could-be-weaponized-for-data-theft/

Four remotely exploitable vulnerabilities were identified in Siemens’ Molecular Imaging products running Microsoft Windows 7 operating system.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-215-02

A recent phishing campaign that is distributing Trickbot is using extremely plausible imitations of financial institutions and government sites.
https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/

WikiLeaks has published CIA tool CouchPotato that allows operators to remotely spy on video streams in real-time.
https://wikileaks.org/vault7/#CouchPotato

InfoSec Week 31, 2017

A new version of the Svpeng Android banking trojan is able to record everything users type on their devices. Crazy stuff.
https://b0n1.blogspot.sk/2017/08/android-banking-trojan-misuses.html https://www.bleepingcomputer.com/news/security/new-version-of-dangerous-android-malware-sold-on-russian-hacking-forum/

Great blog by Kaspersky Lab about the steganography techniques used by malware for data exfiltration, covert communication.
https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

Software researcher from Trail of Bits put Windows Defender to the sandbox.
https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/

Proofpoint researchers found a spear phishing campaign delivering Carbanak malware to the U.S. restaurant chains.
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

How to completely take over the ones online identity? This guy demonstrated that practically.
https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without

Airbnb released the open-source serverless framework for detecting malicious files called BinaryAlert. It uses YARA rules, and takes advantage of AWS Lambda functions for analysis instead of a traditional server architecture. Also uses Terraform to manage underlying infrastructure. Interesting project.
https://medium.com/airbnb-engineering/binaryalert-real-time-serverless-malware-detection-ca44370c1b90

TrickBot malware added worm-like SMB spreading module popularized by WannaCry, Petya samples.
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

Analysis of the Juniper ScreenOS randomness subsystem backdoor Dual EC backdoor. Complex, Fascinating stuff.
From the research paper: "The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator"
https://www.cs.uic.edu/~s/papers/juniper2016/juniper2016.pdf

Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
https://github.com/gophish/gophish

Cisco CSIRT has released GOSINT, open source threat intelligence gathering and processing framework.
https://github.com/ciscocsirt/GOSINT

A generic unpacker for packed Android applications released by the Check Point researchers.
https://github.com/CheckPointSW/android_unpacker

InfoSec Week 5, 2017

Egyptian human rights activists, dissidents, lawyers and journalists targeted by the phishing campaign. Links received by the email lead to a fake login page designed to trick the targets into giving away their Dropbox credentials.
https://citizenlab.org/2017/02/nilephish-report/

Multiple Polish banks are victims of a malware infection through the Polish financial regulator KNF.
https://www.databreaches.net/hackers-break-into-polish-banks-through-government-regulator-charged-with-bank-security-standards/

Hackers broke into the Czech Foreign Ministry email. "It must have been carried out from the outside, by another country. The way it was done bears a very strong resemblance to the attacks on the US Democratic Party's internet system," said the foreign minister, citing experts.
http://www.securityweek.com/hackers-target-czech-foreign-ministrys-email-system

Extensive analysis of the Locky Bart ransomware binary and the backend server. Binary executable is obfuscated by the WPProtect code-virtualization. Server backend is written using Yii PHP framework.
https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/

APT group Turla using a new javascript payload called KopiLuwak when conducting their phishing attacks. The payload is stored in Office documents using embedded macro and uses multiple layers of the javascript obfuscation.
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/

APT activity attributed to the Chinese actors is targeting military and aerospace industry in Russia and Belarus. The malware uses steganography to hide the payload.
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugxs

Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? There is an interesting ongoing court case - Kidane v. Ethiopia - where the Ethiopia's lawyer argued "that it should be able to do anything to Americans in America, even set off a car bomb, as long as Ethiopia didn’t have a human agent in the United States. One judge asked what would happen if Ethiopia mailed a letter bomb into the United States to assassinate an opponent, or hacked an American's self-driving car, causing it to crash. Ethiopia didn't hesitate: their counsel said that they could not be sued for any of those."
https://www.eff.org/deeplinks/2017/02/can-foreign-governments-launch-malware-attacks-americans-without-consequences

A hacker who has stolen 900 GB of data from the mobile forensics company Cellebrite, leaked online some known tools for the iOS exploitation and announced further releases. Released tools are publicly available frameworks. Hacker added that BlackBerry files in his possession are not publicly available.
https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
http://pastebin.com/y9P19guS

Facebook engineers presented at the USENIX Enigma conference, a new mechanism for recovering access to lost online accounts, called Delegated Recovery. Delegated Recovery "allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider".
https://github.com/facebookincubator/DelegatedRecovery/

Printer Exploitation Toolkit (PRET) is a new printer security testing framework.
https://github.com/RUB-NDS/PRET